Httpd
Httpd
安装httpd服务
//以下为源码安装
//1.准备工作
[root@localhost ~]# yum -y install wget bzip2 gcc gcc-c++ make pcre-devel expat-devel libxml2-devel
//2.下载源码包
[root@localhost ~]# wget https://mirrors.tuna.tsinghua.edu.cn/apache/httpd/httpd-2.4.46.tar.bz2
[root@localhost ~]# wget https://mirrors.tuna.tsinghua.edu.cn/apache//apr/apr-1.7.0.tar.gz
[root@localhost ~]# wget https://mirrors.tuna.tsinghua.edu.cn/apache//apr/apr-util-1.6.1.tar.gz
[root@localhost ~]# ls
anaconda-ks.cfg apr-1.7.0.tar.gz apr-util-1.6.1.tar.gz httpd-2.4.46.tar.bz2
//3.安装apr
[root@localhost ~]# tar xf apr-1.7.0.tar.gz
[root@localhost ~]# cd apr-1.7.0
[root@localhost apr-1.7.0]# vi configure
//注释这一行
# $RM "$cfgfile"
[root@localhost apr-1.7.0]# ./configure --prefix=/usr/local/apr
[root@localhost apr-1.7.0]# make
[root@localhost apr-1.7.0]# make install
//4.安装apr-util
[root@localhost apr-1.7.0]# cd
[root@localhost ~]# tar xf apr-util-1.6.1.tar.gz
[root@localhost ~]# cd apr-util-1.6.1
[root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
[root@localhost apr-util-1.6.1]# make
[root@localhost apr-util-1.6.1]# make install
//5.安装httpd
[root@localhost apr-util-1.6.1]# cd
[root@localhost ~]# tar xf httpd-2.4.46.tar.bz2
[root@localhost ~]# cd httpd-2.4.46
[root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/apache \
--sysconfdir=/etc/httpd24 \
--enable-so \
--enable-ssl \
--enable-cgi \
--enable-rewrite \
--with-zlib \
--with-pcre \
--with-apr=/usr/local/apr \
--with-apr-util=/usr/local/apr-util/ \
--enable-modules=most \
--enable-mpms-shared=all \
--with-mpm=prefork
[root@localhost httpd-2.4.46]# make
[root@localhost httpd-2.4.46]# make install
//6.设置环境变量
[root@localhost ~]# vi /etc/profile.d/httpd.sh
export PATH=$PATH:/usr/local/httpd/bin
[root@localhost ~]# source /etc/profile.d/httpd.sh
//7.设置头文件链接
[root@localhost ~]# ln -s /usr/local/httpd/include /usr/include/httpd
//8.设置帮助文档(加入以下内容)
[root@localhost ~]# vi /etc/man_db.conf
MANDATORY_MANPATH /usr/local/httpd/man
MANDATORY_MANPATH /usr/local/httpd/manual
//9.管理httpd
[root@localhost ~]# apachectl start
[root@localhost ~]# apachectl stop
[root@localhost ~]# apachectl restart
//10.关闭防火墙和SELiunx
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# setenforce 0
httpd配置
切换使用MPM
(编辑/etc/httpd/conf.modules.d/00-mpm.conf文件):
[root@localhost ~]# cd /etc/httpd/conf.modules.d/
[root@localhost conf.modules.d]# ls
00-base.conf 00-lua.conf 00-optional.conf 00-systemd.conf 10-h2.conf README
00-dav.conf 00-mpm.conf 00-proxy.conf 01-cgi.conf 10-proxy_h2.conf
[root@localhost conf.modules.d]# vim 00-mpm.conf
# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines. See the httpd.conf(5) man
# page for more information on changing the MPM.
# prefork MPM: Implements a non-threaded, pre-forking web server
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
#
# NOTE: If enabling prefork, the httpd_graceful_shutdown SELinux
# boolean should be enabled, to allow graceful stop/shutdown.
#
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
# worker MPM: Multi-Processing Module implementing a hybrid
# multi-threaded multi-process web server
# See: http://httpd.apache.org/docs/2.4/mod/worker.html
#
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
# event MPM: A variant of the worker MPM with the goal of consuming
# threads only for connections with active processing
# See: http://httpd.apache.org/docs/2.4/mod/event.html
#
LoadModule mpm_event_module modules/mod_mpm_event.so
切换方式:用哪种模式就在相应的那一行取消注释,注意不能同时用两个模式,只能有一个启用。
访问控制法则
法则 | 功能 |
---|---|
Require all granted | 允许所有主机访问 |
Require all deny | 拒绝所有主机访问 |
Require ip IPADDR | 授权指定来源地址的主机访问 |
Require not ip IPADDR | 拒绝指定来源地址的主机访问 |
Require host HOSTNAME | 授权指定来源主机名的主机访问 |
Require not host HOSTNAME | 拒绝指定来源主机名的主机访问 |
默认首页在/var/www/html/index.html
//在/var/www/html中创建一个test文件夹
[root@localhost html]# mkdir test
[root@localhost html]# echo 'haha' > /var/www/html/test/index.html
访问192.168.21.129/test/
:
请问如果想让有些人能访问test,有些人不能访问,应该怎么做呢?
比如192.168.21.1不让访问test:
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
<Directory "/var/www/html">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
//在后面加上这个访问控制法则,192.168.21.1为本机地址
<Directory "/var/www/html/test">
<RequireAll>
Require not ip 192.168.21.1
Require all granted
</RequireAll>
</Directory>
[root@localhost ~]# systemctl restart httpd
[root@localhost html]# curl http://192.168.21.129/test/index.html
haha
如果将法则改为192.168.21.129:
[root@localhost html]# vim /etc/httpd/conf/httpd.conf
<Directory "/var/www/html/test">
<RequireAll>
Require not ip 192.168.21.129
Require all granted
</RequireAll>
</Directory>
或
<Directory "/var/www/html/test">
Require ip 192.168.21.1
</Directory>
[root@localhost html]# systemctl restart httpd
[root@localhost html]# curl http://192.168.21.129/test/index.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /test/index.html
on this server.<br />
</p>
</body></html>
则虚拟机无法访问,本机可以访问
三种虚拟主机的配置
虚拟主机有三类:
-
相同IP不同端口
-
不同IP相同端口
-
相同IP相同端口不同域名
相同IP不同端口
[root@localhost ~]# hostname
localhost.localdomain
[root@localhost ~]# hostnamectl set-hostname www.example.com
[root@localhost ~]# bash
[root@www ~]# hostname
www.example.com
[root@www ~]# cd /etc/httpd/conf.d
[root@www conf.d]# find / -name *vhosts.conf
/usr/share/doc/httpd/httpd-vhosts.conf
[root@www conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf .
[root@www conf.d]# ls
autoindex.conf httpd-vhosts.conf README userdir.conf welcome.conf
[root@www conf.d]# vim httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/"
ServerName www.example.com
ErrorLog "/var/log/httpd/www.example.com-error_log"
CustomLog "/var/log/httpd/www.example.com-access_log" common
</VirtualHost>
[root@www conf.d]# systemctl restart httpd
在源码之家上下2个HTML5实例
[root@www ~]# ls
anaconda-ks.cfg HTML5_Windows10.zip taikongheidongdonghua.zip
[root@www ~]# unzip HTML5_Windows10.zip taikongheidongdonghua.zip
[root@www ~]# mv HTML5模仿Windows10桌面代码 win10
[root@www ~]# mv HTML5太空黑洞动画代码 taikong
[root@www ~]# ls
anaconda-ks.cfg HTML5_Windows10.zip taikong taikongheidongdonghua.zip win10
[root@www ~]# mv taikong win10 /var/www/html/
[root@www ~]# cd /var/www/html/
[root@www html]# ls
index.html taikong test win10
[root@www ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/win10"
ServerName win10.example.com
ErrorLog "/var/log/httpd/win10.example.com-error_log"
CustomLog "/var/log/httpd/win10.example.com-access_log" common
</VirtualHost>
Listen 81
<VirtualHost *:81>
DocumentRoot "/var/www/html/taikong"
ServerName taikong.example.com
ErrorLog "/var/log/httpd/taikong.example.com-error_log"
CustomLog "/var/log/httpd/taikong.example.com-access_log" common
</VirtualHost>
[root@www ~]# systemctl restart httpd
访问192.168.21.129:80
访问192.168.21.129:81
不同IP相同端口
[root@www ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
<VirtualHost 192.168.21.129:80>
DocumentRoot "/var/www/html/win10"
ServerName win10.example.com
ErrorLog "/var/log/httpd/win10.example.com-error_log"
CustomLog "/var/log/httpd/win10.example.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.21.250:80>
DocumentRoot "/var/www/html/taikong"
ServerName taikong.example.com
ErrorLog "/var/log/httpd/taikong.example.com-error_log"
CustomLog "/var/log/httpd/taikong.example.com-access_log" common
</VirtualHost>
[root@www ~]# systemctl restart httpd
[root@www ~]# ip a
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:c8:3e:c8 brd ff:ff:ff:ff:ff:ff
inet 192.168.21.129/24 brd 192.168.21.255 scope global dynamic noprefixroute ens160
valid_lft 908sec preferred_lft 908sec
inet6 fe80::197b:f289:f6a9:5e1d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@www ~]# ip addr add 192.168.21.250/24 dev ens160
[root@www ~]# ip a
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:c8:3e:c8 brd ff:ff:ff:ff:ff:ff
inet 192.168.21.129/24 brd 192.168.21.255 scope global dynamic noprefixroute ens160
valid_lft 1783sec preferred_lft 1783sec
inet 192.168.21.250/24 scope global secondary ens160
valid_lft forever preferred_lft forever
inet6 fe80::197b:f289:f6a9:5e1d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
访问192.168.21.129
访问192.168.21.250
相同IP相同端口不同域名
[root@www ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/win10"
ServerName win10.example.com
ErrorLog "/var/log/httpd/win10.example.com-error_log"
CustomLog "/var/log/httpd/win10.example.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/var/www/html/taikong"
ServerName taikong.example.com
ErrorLog "/var/log/httpd/taikong.example.com-error_log"
CustomLog "/var/log/httpd/taikong.example.com-access_log" common
</VirtualHost>
[root@www ~]# systemctl restart httpd
IP地址映射:
hosts目录
C:\Windows\System32\drivers\etc\hosts
192.168.21.129 win10.example.com taikong.example.com
访问win10.example.com
访问taikong.example.com
https配置
CA的配置文件:/etc/pki/tls/openssl.cnf
CA生成一对密钥
[root@www ~]# cd /etc/pki/CA
bash: cd: /etc/pki/CA: No such file or directory
[root@www ~]# mkdir /etc/pki/CA
[root@www ~]# cd /etc/pki/CA
//生成密钥
[root@www CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
genrsa: Can't open "private/cakey.pem" for writing, No such file or directory
[root@www CA]# mkdir private
[root@www CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................................................+++++
................................+++++
e is 65537 (0x010001)
[root@www CA]# ls private/
cakey.pem
//提取公钥
[root@www CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1vk5foqHDeMcPTXJHFeS
ZjICQsb/Af8SJH6351kuG5kL5Axjq1XsUbuM3FZyIwJ7HpV1CQBlfhJJ1ku6EkfU
1wRq+9G+ZE03sONBIpXqUsuTnMw0CDBZWXHFlwzi2iI3PpIVZLNNkk4DiHN3jJVm
ypjclmA0r25SSXdClyP68/63OaeIgg0GZptsulKdTzaxPxDwByE4mGjX4497aFzY
FKEYKDLkUAhK4LJcUoCuLmu3Vj+3hnHl/YvOLKgm9D+I3UO5ATQaIrVEbSWUyoDl
EzvHz/dAf6eUXMN+pcwnJZpuPEkXFdu0oMWvTeu7vI1Dx7uS9ydQjTZvb5UW/vKe
fwIDAQAB
-----END PUBLIC KEY-----
CA生成自签署证书
//生成自签署证书
[root@www CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:yuqinghao
Organizational Unit Name (eg, section) []:xuexi
Common Name (eg, your name or your server's hostname) []:taikong.example.com
Email Address []:1@2.com
//读出cacert.pem证书的内容
[root@www CA]# openssl x509 -text -in cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
59:86:ea:fc:15:3a:a5:05:9c:7f:01:0d:82:6e:ec:b8:6e:47:b8:6e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = cn, ST = HB, L = WH, O = runtime, OU = peixun, CN = taikong.example.com, emailAddress = 1@2.com
Validity
Not Before: Dec 21 14:49:18 2020 GMT
Not After : Dec 21 14:49:18 2021 GMT
Subject: C = cn, ST = HB, L = WH, O = runtime, OU = peixun, CN = taikong.example.com, emailAddress = 1@2.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d6:f9:39:7e:8a:87:0d:e3:1c:3d:35:c9:1c:57:
92:66:32:02:42:c6:ff:01:ff:12:24:7e:b7:e7:59:
2e:1b:99:0b:e4:0c:63:ab:55:ec:51:bb:8c:dc:56:
72:23:02:7b:1e:95:75:09:00:65:7e:12:49:d6:4b:
ba:12:47:d4:d7:04:6a:fb:d1:be:64:4d:37:b0:e3:
41:22:95:ea:52:cb:93:9c:cc:34:08:30:59:59:71:
c5:97:0c:e2:da:22:37:3e:92:15:64:b3:4d:92:4e:
03:88:73:77:8c:95:66:ca:98:dc:96:60:34:af:6e:
52:49:77:42:97:23:fa:f3:fe:b7:39:a7:88:82:0d:
06:66:9b:6c:ba:52:9d:4f:36:b1:3f:10:f0:07:21:
38:98:68:d7:e3:8f:7b:68:5c:d8:14:a1:18:28:32:
e4:50:08:4a:e0:b2:5c:52:80:ae:2e:6b:b7:56:3f:
b7:86:71:e5:fd:8b:ce:2c:a8:26:f4:3f:88:dd:43:
b9:01:34:1a:22:b5:44:6d:25:94:ca:80:e5:13:3b:
c7:cf:f7:40:7f:a7:94:5c:c3:7e:a5:cc:27:25:9a:
6e:3c:49:17:15:db:b4:a0:c5:af:4d:eb:bb:bc:8d:
43:c7:bb:92:f7:27:50:8d:36:6f:6f:95:16:fe:f2:
9e:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4F:05:D3:F8:A8:3A:D0:A3:86:BF:9B:E8:D6:AA:2B:02:7E:7C:CE:16
X509v3 Authority Key Identifier:
keyid:4F:05:D3:F8:A8:3A:D0:A3:86:BF:9B:E8:D6:AA:2B:02:7E:7C:CE:16
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
83:94:d7:ee:a6:a1:a5:1e:8a:5a:ab:ad:62:31:88:dd:c3:9f:
3a:59:92:99:d3:b7:f8:ba:91:ea:7d:62:e1:7b:53:de:28:2b:
53:77:0d:fe:68:26:62:53:77:fe:2a:6e:42:de:a7:ef:d1:99:
e0:89:a6:f6:4d:73:11:d9:f1:e0:3a:9a:e6:a2:af:14:70:f2:
98:bc:ab:7c:77:11:0a:1d:5a:5a:ab:cc:9b:0a:51:9f:8f:8c:
dd:20:0a:86:85:31:d4:6f:74:ed:c5:f7:d6:7f:1d:5e:ec:01:
c1:e9:e9:bd:d2:e6:da:42:3c:c7:df:14:6a:41:c1:73:dc:93:
79:cb:95:bf:48:76:58:20:f9:99:5f:58:4a:41:3e:b6:58:08:
b1:68:b2:44:78:0c:da:1b:9f:a2:61:78:5b:14:0d:73:90:0c:
56:ce:2b:90:97:11:1c:e9:b9:7d:4c:57:8e:dc:ba:bd:8d:91:
3b:b3:0c:1c:6c:38:e3:6d:3d:8f:c3:9d:40:a8:67:f1:d4:98:
a4:c1:1e:94:ea:38:34:ce:2f:15:99:ee:e0:e5:45:97:6a:43:
ca:6c:27:f8:13:e6:c4:a7:59:d8:ce:2e:90:4b:df:5b:6a:5d:
de:9f:3c:3f:42:08:69:84:b9:43:1e:ef:d5:80:f4:14:9d:29:
14:2e:a7:30
-----BEGIN CERTIFICATE-----
MIID4zCCAsugAwIBAgIUWYbq/BU6pQWcfwENgm7suG5HuG4wDQYJKoZIhvcNAQEL
BQAwgYAxCzAJBgNVBAYTAmNuMQswCQYDVQQIDAJIQjELMAkGA1UEBwwCV0gxEDAO
BgNVBAoMB3J1bnRpbWUxDzANBgNVBAsMBnBlaXh1bjEcMBoGA1UEAwwTdGFpa29u
Zy5leGFtcGxlLmNvbTEWMBQGCSqGSIb3DQEJARYHMUAyLmNvbTAeFw0yMDEyMjEx
NDQ5MThaFw0yMTEyMjExNDQ5MThaMIGAMQswCQYDVQQGEwJjbjELMAkGA1UECAwC
SEIxCzAJBgNVBAcMAldIMRAwDgYDVQQKDAdydW50aW1lMQ8wDQYDVQQLDAZwZWl4
dW4xHDAaBgNVBAMME3RhaWtvbmcuZXhhbXBsZS5jb20xFjAUBgkqhkiG9w0BCQEW
BzFAMi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW+Tl+iocN
4xw9NckcV5JmMgJCxv8B/xIkfrfnWS4bmQvkDGOrVexRu4zcVnIjAnselXUJAGV+
EknWS7oSR9TXBGr70b5kTTew40EilepSy5OczDQIMFlZccWXDOLaIjc+khVks02S
TgOIc3eMlWbKmNyWYDSvblJJd0KXI/rz/rc5p4iCDQZmm2y6Up1PNrE/EPAHITiY
aNfjj3toXNgUoRgoMuRQCErgslxSgK4ua7dWP7eGceX9i84sqCb0P4jdQ7kBNBoi
tURtJZTKgOUTO8fP90B/p5Rcw36lzCclmm48SRcV27Sgxa9N67u8jUPHu5L3J1CN
Nm9vlRb+8p5/AgMBAAGjUzBRMB0GA1UdDgQWBBRPBdP4qDrQo4a/m+jWqisCfnzO
FjAfBgNVHSMEGDAWgBRPBdP4qDrQo4a/m+jWqisCfnzOFjAPBgNVHRMBAf8EBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCDlNfupqGlHopaq61iMYjdw586WZKZ07f4
upHqfWLhe1PeKCtTdw3+aCZiU3f+Km5C3qfv0Zngiab2TXMR2fHgOprmoq8UcPKY
vKt8dxEKHVpaq8ybClGfj4zdIAqGhTHUb3TtxffWfx1e7AHB6em90ubaQjzH3xRq
QcFz3JN5y5W/SHZYIPmZX1hKQT62WAixaLJEeAzaG5+iYXhbFA1zkAxWziuQlxEc
6bl9TFeO3Lq9jZE7swwcbDjjbT2Pw51AqGfx1JikwR6U6jg0zi8Vme7g5UWXakPK
bCf4E+bEp1nYzi6QS99bal3enzw/QghphLlDHu/VgPQUnSkULqcw
-----END CERTIFICATE-----
[root@www CA]# mkdir certs newcerts crl
[root@www CA]# touch index.txt && echo 01 > serial
[root@www CA]# ls
cacert.pem certs crl index.txt newcerts private serial
客户端(例如httpd服务器)生成密钥
[root@www CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@www ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
..........................+++++
e is 65537 (0x010001)
客户端生成证书签署请求
[root@www ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:yuqinghao
Organizational Unit Name (eg, section) []:xuexi
Common Name (eg, your name or your server's hostname) []:taikong.example.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
CA签署客户端提交上来的证书
[root@www ssl]# openssl ca -in ./httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 21 15:15:55 2020 GMT
Not After : Dec 21 15:15:55 2021 GMT
Subject:
countryName = cn
stateOrProvinceName = HB
organizationName = yuqinghao
organizationalUnitName = xuexi
commonName = taikong.example.com
emailAddress = 1@2.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F2:02:61:22:44:F9:AC:3E:61:2D:27:CF:2A:AE:E5:37:95:2B:FD:6A
X509v3 Authority Key Identifier:
keyid:4F:05:D3:F8:A8:3A:D0:A3:86:BF:9B:E8:D6:AA:2B:02:7E:7C:CE:16
Certificate is to be certified until Dec 21 15:15:55 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
修改配置文件
[root@www ~]# yum -y install mod_ssl
[root@www ~]# vim /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global
//取消注释修改为taikong
configurationDocumentRoot "/var/www/html/taikong/"
ServerName taikong.example.com:443
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that restarting httpd will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
//修改为刚刚生成证书的位置
SSLCertificateFile /etc/httpd/ssl/httpd.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
//修改为刚刚生成私钥的位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
[root@www ~]# systemctl restart httpd
[root@www ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 *:80 *:*
访问https://taikong.example.com
高级-接受风险并继续
访问https://win10.example.com
以下是一步一步安装httpd时可能会遇到的错误及解决的方式
//下载源码包
[root@localhost ~]# wget https://mirrors.tuna.tsinghua.edu.cn/apache/httpd/httpd-2.4.46.tar.bz2
[root@localhost ~]# ls
anaconda-ks.cfg httpd-2.4.46.tar.bz2
//解压并进入
[root@localhost ~]# tar xf httpd-2.4.46.tar.bz2
[root@localhost ~]# ls
anaconda-ks.cfg httpd-2.4.46 httpd-2.4.46.tar.bz2
[root@localhost ~]# cd httpd-2.4.46
[root@localhost httpd-2.4.46]# ls
ABOUT_APACHE BuildBin.dsp emacs-style LAYOUT NOTICE srclib
acinclude.m4 buildconf httpd.dep libhttpd.dep NWGNUmakefile support
Apache-apr2.dsw CHANGES httpd.dsp libhttpd.dsp os test
Apache.dsw CMakeLists.txt httpd.mak libhttpd.mak README VERSIONING
apache_probes.d config.layout httpd.spec LICENSE README.cmake
ap.d configure include Makefile.in README.platforms
build configure.in INSTALL Makefile.win ROADMAP
BuildAll.dsp docs InstallBin.dsp modules server
//尝试安装httpd
[root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd
checking for APR... no
configure: error: APR not found. Please read the documentation.
//解决apr not found问题
//(需要安装apr)
[root@localhost httpd-2.4.46]# cd
[root@localhost ~]# wget https://mirrors.tuna.tsinghua.edu.cn/apache//apr/apr-1.7.0.tar.gz
[root@localhost ~]# tar xf apr-1.7.0.tar.gz
[root@localhost ~]# cd apr-1.7.0
[root@localhost apr-1.7.0]# ls
apr-config.in build.conf dso libapr.rc NOTICE support
apr.dep buildconf emacs-mode LICENSE NWGNUmakefile tables
apr.dsp build-outputs.mk encoding locks passwd test
apr.dsw CHANGES file_io Makefile.in poll threadproc
apr.mak CMakeLists.txt helpers Makefile.win random time
apr.pc.in config.layout include memory README tools
apr.spec configure libapr.dep misc README.cmake user
atomic configure.in libapr.dsp mmap shmem
build docs libapr.mak network_io strings
[root@localhost apr-1.7.0]# ./configure --prefix=/usr/local/apr
[root@localhost apr-1.7.0]# echo $?
0
[root@localhost apr-1.7.0]# make
[root@localhost apr-1.7.0]# echo $?
0
[root@localhost apr-1.7.0]# make install
[root@localhost apr-1.7.0]# echo $?
0
//再尝试安装apache
[root@localhost apr-1.7.0]# cd
[root@localhost ~]# cd httpd-2.4.46
[root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd
checking for APR-util... no
configure: error: APR-util not found. Please read the documentation.
//解决APR-util not found问题
//(需要安装apr-util)
[root@localhost httpd-2.4.46]# cd
[root@localhost apr-util-1.6.1]# wget https://mirrors.tuna.tsinghua.edu.cn/apache//apr/apr-util-1.6.1.tar.gz
[root@localhost ~]# tar xf apr-util-1.6.1.tar.gz
[root@localhost ~]# cd apr-util-1.6.1
[root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util
configure: error: APR could not be located. Please use the --with-apr option.
//解决APR could not be located问题
//(安装apr-util时需要使用--with-apr=PATH)
[root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
[root@localhost apr-util-1.6.1]# make
xml/apr_xml.c:35:10: fatal error: expat.h: No such file or directory
//解决缺少expat库问题
//(需要安装expat-devel)
[root@localhost apr-util-1.6.1]# yum -y install expat-devel
[root@localhost apr-util-1.6.1]# echo $?
[root@localhost apr-util-1.6.1]# 0
[root@localhost apr-util-1.6.1]# make install
[root@localhost apr-util-1.6.1]# echo $?
[root@localhost apr-util-1.6.1]# 0
//再尝试安装httpd
[root@localhost apr-util-1.6.1]# cd
[root@localhost ~]# cd httpd-2.4.46
[root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd
checking for APR-util... no
configure: error: APR-util not found. Please read the documentation.
//解决APR-util还是not found问题
//(安装httpd时需要使用--with-apr=PATH --with-apr-util=PATH)
[root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util
configure: error: pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/
//解决pcre not found问题
//(需要安装pcre-devel)
[root@localhost httpd-2.4.46]# yum -y install pcre-devel
//再尝试安装httpd
[root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util
configure: summary of build options:
Server Version: 2.4.46
Install prefix: /usr/local/httpd
C compiler: gcc
CFLAGS: -g -O2 -pthread
CPPFLAGS: -DLINUX -D_REENTRANT -D_GNU_SOURCE
LDFLAGS:
LIBS:
C preprocessor: gcc -E
[root@localhost httpd-2.4.46]# echo $?
0
[root@localhost httpd-2.4.46]# make
collect2: error: ld returned 1 exit status
make[2]: *** [Makefile:48: htpasswd] Error 1
make[2]: Leaving directory '/root/httpd-2.4.46/support'
make[1]: *** [/root/httpd-2.4.46/build/rules.mk:75: all-recursive] Error 1
make[1]: Leaving directory '/root/httpd-2.4.46/support'
make: *** [/root/httpd-2.4.46/build/rules.mk:75: all-recursive] Error 1
[root@localhost httpd-2.4.46]# echo $?
2
//缺少了xml相关的库,需要安装libxml2-devel包。直接安装并不能解决问题,因为httpd调用的apr-util已经安装好了,但是apr-util并没有libxml2-devel包支持。
//(需要安装libxml2-devel)
[root@localhost httpd-2.4.46]# yum -y install libxml2-devel
//删除apr-util安装目录,并重新编译安装
[root@localhost httpd-2.4.46]# rm -rf /usr/local/apr-util/
[root@localhost httpd-2.4.46]# cd
[root@localhost ~]# cd apr-util-1.6.1
//清除之前配置时的缓存
[root@localhost apr-util-1.6.1]# make clean
//重新安装apr-util
[root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
[root@localhost apr-util-1.6.1]# echo $?
0
[root@localhost apr-util-1.6.1]# make
[root@localhost apr-util-1.6.1]# echo $?
0
[root@localhost apr-util-1.6.1]# make install
[root@localhost apr-util-1.6.1]# echo $?
0
//重新编译安装httpd
[root@localhost apr-util-1.6.1]# cd
[root@localhost ~]# cd httpd-2.4.46
[root@localhost httpd-2.4.46]# make clean
[root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util
configure: summary of build options:
Server Version: 2.4.46
Install prefix: /usr/local/httpd
C compiler: gcc
CFLAGS: -g -O2 -pthread
CPPFLAGS: -DLINUX -D_REENTRANT -D_GNU_SOURCE
LDFLAGS:
LIBS:
C preprocessor: gcc -E
[root@localhost httpd-2.4.46]# echo $?
0
[root@localhost httpd-2.4.46]# make
[root@localhost httpd-2.4.46]# echo $?
0
[root@localhost httpd-2.4.46]# make install
[root@localhost httpd-2.4.46]# echo $?
0
//关闭防火墙修改配置文件并重启服务
[root@localhost httpd-2.4.46]# systemctl stop firewalld
[root@localhost httpd-2.4.46]# setenforce 0
[root@localhost httpd-2.4.46]# getenforce
Permissive
[root@localhost httpd-2.4.46]# /usr/local/httpd/bin/apachectl start
[root@localhost httpd-2.4.46]# vi /usr/local/httpd/conf/httpd.conf
ServerName localhost:80
[root@localhost httpd-2.4.46]# /usr/local/httpd/bin/apachectl restart
//设置环境变量
[root@localhost httpd-2.4.46]# cd
[root@localhost ~]# vi /etc/profile.d/apache.sh
export PATH=$PATH:/usr/local/httpd/bin/
[root@localhost ~]# source /etc/profile.d/apache.sh
//设置头文件链接
[root@localhost ~]# ln -s /usr/local/httpd/include/ /usr/include/httpd
//设置帮助文档(加入以下内容)
[root@localhost man]# vi /etc/man_db.conf
MANDATORY_MANPATH /usr/local/httpd/man
MANDATORY_MANPATH /usr/local/httpd/manual
//测试httpd服务
[root@localhost man]# cd
[root@localhost ~]# apachectl stop
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@localhost ~]# apachectl start
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
[root@localhost ~]# ip a
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:f9:ec:35 brd ff:ff:ff:ff:ff:ff
inet 192.168.237.128/24 brd 192.168.237.255 scope global dynamic noprefixroute ens160
valid_lft 1649sec preferred_lft 1649sec
inet6 fe80::96da:6b44:5ce1:8588/64 scope link noprefixroute
valid_lft forever preferred_lft forever